LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices



Reply
 
Search this Thread
Old 02-04-2007, 01:17 PM   #1
mrbinky3000
LQ Newbie
 
Registered: Dec 2002
Location: Athens, Ohio USA
Distribution: Fedora Core 1,5,6
Posts: 13

Rep: Reputation: 0
Smile SELinux and Darwin Streaming Media Server


I run a web site dedicated to the local music scene. As such, I host my own videos via the free Darwin Streaming Media server. I ran out of space on my old server, so I rsynched all the files to a new server with a newer version of Fedora Core. Everything is set up fine. I copied my iptables rules over to the new server. But now there is a problem with some new security feature I've never had to deal with before called SELinux.

There was a thread on FedoraForum that explains how to use audit2allow -i /var/log/messages -l to scan /var/log/messages and automatically display the text of a rule that I need to import somehow into SELinux as a rule.

Anyone know what to do to get SELinux to import this rule:
Code:
allow unconfined_t sbin_t:file execmod;
And is that a rule I should import?

here is the orignal message log
Code:
Feb  4 12:30:48 marshal kernel: audit(1170610248.995:10): avc:  denied  { execmod } for  pid=13137 comm="DarwinStreaming" name="QTSSHomeDirectoryModule" dev=dm-0 ino=786456 scontext=user_u:system_r:unconfined_t:s0 tcontext=root:object_r:sbin_t:s0 tclass=file
Feb  4 12:30:49 marshal kernel: audit(1170610249.000:11): avc:  denied  { execmod } for  pid=13137 comm="DarwinStreaming" name="QTSSRefMovieModule" dev=dm-0 ino=786457 scontext=user_u:system_r:unconfined_t:s0 tcontext=root:object_r:sbin_t:s0 tclass=file
Here is the url of the Fedora Forum thread (this bbs won't let me add it to this post because it is my first post) fedoraforum.org/forum/showthread.php?t=31205
 
Old 02-04-2007, 07:49 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,679
Blog Entries: 54

Rep: Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955
For audit2allow you need to:
1. install the selinux-policy-$POLICYTYPE-sources,
2. run "cat /var/log/messages | audit2allow > /etc/selinux/$POLICYTYPE/src/policy/domains/misc/custom.te",
3. "make -C /etc/selinux/$POLICYTYPE/src/policy load".

[font size = fsckin humonguous]Note on RHEL5 / FC6 there are no more selinux-policy-$POLICYTYPE-sources, so instead you:
1. "audit2allow -M custom < /var/log/audit/audit.log",
2. "semodule -i custom.pp".

Last edited by unSpawn; 02-05-2007 at 12:54 PM. Reason: //clarification n such
 
Old 02-05-2007, 11:09 AM   #3
mrbinky3000
LQ Newbie
 
Registered: Dec 2002
Location: Athens, Ohio USA
Distribution: Fedora Core 1,5,6
Posts: 13

Original Poster
Rep: Reputation: 0
Almost

Thanks for trying to help me out, but right off the bat, I can tell you that I have no /var/log/audit directory on my system. I am fairly sure I am running FC5.

Code:
# cat /etc/redhat-release
Fedora Core release 5 (Bordeaux)
I did find a config file for selinux in my etc file.

Code:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
 
Old 02-05-2007, 01:02 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,679
Blog Entries: 54

Rep: Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955
I edited my post. Hope it clears things up a bit.
 
Old 02-05-2007, 01:15 PM   #5
mrbinky3000
LQ Newbie
 
Registered: Dec 2002
Location: Athens, Ohio USA
Distribution: Fedora Core 1,5,6
Posts: 13

Original Poster
Rep: Reputation: 0
Closer?

Quote:
Originally Posted by unSpawn
For audit2allow you need to:
1. install the selinux-policy-$POLICYTYPE-sources,
2. run "cat /var/log/messages | audit2allow > /etc/selinux/$POLICYTYPE/src/policy/domains/misc/custom.te",
3. "make -C /etc/selinux/$POLICYTYPE/src/policy load".

Note on RHEL5 / FC6 there are no more selinux-policy-$POLICYTYPE-sources, so instead you:
1. "audit2allow -M custom < /var/log/audit/audit.log",
2. "semodule -i custom.pp".
OK, I gather from your instructions that since I am using Fedora Core 5, I don't have to install the selinux-policy-$POLICYTYPE-sources. So instead I need to ...
1. "audit2allow -M custom < /var/log/audit/audit.log",
2. "semodule -i custom.pp".[/QUOTE]


Ok. I'll try step one. Here is what I get.

Code:
# audit2allow -M custom < /var/log/audit/audit.log
-bash: /var/log/audit/audit.log: No such file or directory
I don't have any audit directory in my /var/log directory. Did you get the redirection wrong or something?
 
Old 02-05-2007, 02:04 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,679
Blog Entries: 54

Rep: Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955Reputation: 2955
OK, I gather from your instructions that since I am using Fedora Core 5, I don't have to install the selinux-policy-$POLICYTYPE-sources.
I read that exactly the other way around. Because you don't run FC6 you'll have to install... etc, etc.
 
Old 02-05-2007, 02:42 PM   #7
mrbinky3000
LQ Newbie
 
Registered: Dec 2002
Location: Athens, Ohio USA
Distribution: Fedora Core 1,5,6
Posts: 13

Original Poster
Rep: Reputation: 0
Thumbs up Step one?

[QUOTE=unSpawn]For audit2allow you need to:
1. install the selinux-policy-$POLICYTYPE-sources,
2. run "cat /var/log/messages | audit2allow > /etc/selinux/$POLICYTYPE/src/policy/domains/misc/custom.te",
3. "make -C /etc/selinux/$POLICYTYPE/src/policy load".

Ahhh Ha! Ok. So how do I do step one. When I echo the global variable $POLICYTYPE it returns a blank.

Code:
[root]# echo selinux-policy-$POLICYTYPE-sources
selinux-policy--sources
Do I install via yum like below?

Code:
yum install selinux-policy-$POLICYTYPE-sources
Thanks for the help, by the way!
 
  


Reply

Tags
darwin, media, selinux, server, streaming


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Streaming Media Server App mattway Linux - Server 4 10-17-2006 06:13 AM
Darwin Streaming Server problem tendonut Linux - Software 0 11-11-2005 01:37 PM
Darwin Streaming Server Connection problem mting923 Linux - Newbie 0 11-09-2005 01:47 PM
streaming media server in linux? bburnham1141 Linux - Networking 5 06-30-2005 07:08 AM
Darwin Streaming Server??? lemay_jeff Linux - General 0 04-14-2004 10:07 AM


All times are GMT -5. The time now is 12:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration